Compliance Means Caution Take Steps To Ensure Patient Privacy With Business Associate Contracts

The Health Insurance Portability and Accountability Act (HIPAA) required all health care providers to be in compliance with its privacy regulations by April 14. Among the various compliance standards is the requirement to execute ‘business associate contracts’ to assure that third parties who provide goods and services to health care providers will cooperate to keep protected health information (PHI) private.


Who is a ‘business associate’? It is easier to identify who isn’t a business associate. Business-associate agreements are generally not necessary for disclosures to another health care provider concerning treatment. Examples are disclosures concerning treatment to:

• Labs;
• Pharmacies;
• Hospitals;
• Health care entities participating in organized health care arrangements (OHCAs);
• Referring or consulting physicians; or
• Members of the health care providers workforce.

Employees, volunteers, and trainees of a health care provider are considered members of the provider’s workforce and not business associates. Independent contractors may be included as members of the workforce if they are assigned to a workstation on the provider’s premises and perform a substantial proportion of their duties at that workstation. It is advisable to procure a business-associate contract with temporary employment agencies and to instruct temporary employees relative to PHI.

The aforementioned entities may be considered business associates if they perform services other than patient treatment, such as administrative, billing, quality review, or similar services. Other examples of entities that generally are not business associates include:

• Cleaning crews;
• Repair or service technicians for copiers, fax, or phone, etc.;
• Federal Express, UPS, or U.S. Postal Service workers;
• Payers;
• Researchers;
• Public health agencies;
• Pharmaceutical representatives;
• Landlords; or
• Banks and other financial institutions that process consumer transactions by debit or credit card, or clear checks.

If any of the above entities have access to or contact with PHI, such as unsecured medical records, patient lists, etc., it may be advisable to secure a business associate contract anyway.

Generally, a business associate is an individual or entity that, on your behalf, performs or assists in the performance of a function or activity involving use or disclosure of individually identifiable health information, including activities such as:

• Claims processing or administration;
• Quality assurance;
• Billing and collections;
• Practice management; or
• Any other function or activity regulated by the privacy rule.

Business associates also include people who provide any of the following services for you where you or another of your business associates discloses individually identifiable health information to the person:

• Legal;
• Actuarial;
• Accounting;
• Consulting;
• Data aggregation or mining;
• Management;
• Administrative;
• Accreditation;
• Financial services;
• Answering service;
• Health care clearinghouse services;
• Transcription;
• Document shredding;
• Information storage or archiving; or
• Software and other IT support services.

If a health care provider has written service contracts that were executed prior to Oct. 15, 2002, there are some transition provisions relative to obtaining business associate contracts, but these are very limited.

The required elements of a business associate contract are numerous and beyond the scope of this article. There are various well-publicized sources available for guidance on business associate contracts. This author’s recommended source is the Medical Group Manage-ment Association. The MGMA has an online interactive service called HIPAA Steps, which is a comprehensive solu-tion to HIPAA compliance. To view a demonstration of this program, visit www.mgmahipaasteps.com.

Health care providers are not required to monitor or oversee the conduct of business associates, nor are they responsible under the privacy rule for the actions of business associates following the securing of appropriate signed agreements, unless they learn of a pattern of activity constituting a material breach of contract and fail to take action.

In such a case, the health care provider should take reasonable steps to cure the breach, including termination of contracts with the business associate and, to the extent practical, mitigation of any known harm from the violation. It may also be advisable to report the problem to the Department of Health and Human Services. In any event, steps taken should be documented.

Securing business-associate contracts is only one aspect of compliance with HIPAA, but it is critical to protecting the privacy of patients. In regard to who is or is not a business associate, it is advisable to err on the side of caution.

James B. Calnan, CPA, is partner-in-charge of the Health Care Services Division of Meyers Brothers, P.C. in Longmeadow; (413) 567-6101

Comments are closed.